Data Privacy and Security: Is Your Company Prepared if New Laws Are Enacted?

It’s been very clear for some time that data privacy and security are enormous issues for nearly everyone, including companies, business leadership, consumers, and governments. In just the last month, Equifax began the process of paying out $700 million to people hurt in its massive 2017 data breach. Recently, the video conference company Zoom was alerted by a user that a flaw in its cameras allowed users to access video of nearly every other user.

Data breaches have become commonplace.

Similar incidents are occurring every year in technology news. While these developments are significant in themselves, the greater significance may actually be that announcements of breaches, compromised data, and security lapses have become so common.

Laws and Regulations Are Coming

As a result, new laws about data privacy and security are highly likely to affect your company going forward. Some, like the General Data Protection Regulation enacted by the European Union last year and California’s 2018 standards for the Internet of things, are already on the books. Others, such as Ohio’s Data Protection Act and a pending New Jersey bill require data protection to be built into programs.

Laws, as a recent Harvard Business Review points out, lag technological innovation. However, governments, businesses, and consumers are all about to undergo a sea change, where the laws catch up. In other words, a previously largely unregulated area is going to be regulated.

Businesses may face difficulty and risk from the proliferation of data privacy laws. In the U.S., it looks as if different states will have different laws. A large state like California, however, may tend to force many companies to de facto produce products with its regulations in mind, because it’s a large market for many businesses.

An increasing number of states, like California, are passing or developing privacy bills.

Privacy Concerns Need to Be Integral to Products, Not an Afterthought

The larger difficulty for many businesses will be precisely the sea change. Currently, many industries and individual companies operate in a “develop and market first, repair any security/data issues next” mode. In part, this is analogous to how many technology products are designed. The prototype is created and tested, but any bugs or hackable areas are patched and fixed once the market discovers them.

HBR posits that the model will no longer be viable once laws and regulations catch up to technology. It opens businesses to large risks, including a high number of security incidents, the market not finding security issues until damage has occurred, restitution issues like those facing Equifax, and, increasingly, a high likelihood of legal action against companies found to have violated consumer privacy and security.

So what do businesses need to do to avoid the risks? First, security and data protection need to be key features of products, embedded as soon as possible in the development process, according to HBR.

Second, the time and resources spent on privacy and security need to be pegged to the size and complexity of the code used in their products. A more complex product or a larger number of customers requires more time and resources for adequate security and privacy measures. It’s very likely that time to market and testing before the market will be significantly more labor- and cost-intensive than they have been in the past.